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A FLEXIBLE WLAN ACCESS POINT ARCHITECTURE CAPABLE 
OF ACCOMMODATING DIFFERENT USER DEVICES 

5 

RELATED APPLICATION 

This application claims the benefit of U.S. Provisional Application No. 60/454,558, 
filed March 4, 2003, and is incoiporated herein by reference. 

10 L Field of the invention 

The invention provides an apparatus and a method controlling access by a user 
terminal to a communications network, and in particular, an apparatus and a method for 
controlling access by a mobile terminal to a WLAN by accommodating for each mobile 
terminal its particular capabilities and selecting accordingly, the optimum available 

15 authentication mechanism. 

2. Description of Related Art 

The context of the present invention is the family of wireless local area networks or 
(WLAN) employing the IEEE 802. lx architecture having an access point that provides access 

20 for mobile devices and to other networks, such as hard d wired local area and global networks, 
such as the Internet. Advancements in WLAN technology have resulted in the publicly 
accessible at rest stops, cafes, libraries and similar public facilities ("hot spots")- Presently, 
public WLANs offer mobile communication device users access to a private data network, 
such as a corporate intranet, or a public data network such as the Internet, peer-to-peer 

25 communication and live wireless TV broadcasting. The relatively low cost to implement and 
operate a public WLAN, as well as the available high bandwidth (usually in excess of 10 
Megabits/second) makes the public WLAN an ideal access mechanism through which mobile 
wireless communications device users can exchange packets with an external entity, however 
as will be discussed below, such open deployment may compromise security unless adequate 

30 means for identification and authentication exists. 

When a user operating a terminal incorporating the IEEE 802. lx protocol ("client 
terminal" or simply "IEEE 802. lx client") attempts to access a public WLAN at a hot spot, 
the IEEE 802. lx client terminal would begin the authentication process according to its 
current machine configuration. After authentication, the public WLAN opens a secure data 
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channel to the mobile communications device to protect the privacy of data passing between 
the WLAN and the device. Presently, many manufacturers of WLAN equipment have adopted 
the IEEE 802. Ix protocol for deployed equipment. However, other devices utilizing WLAN 
may use other protocols such as may be provided by wired electronic privacy (WEP). 
5 Notably, the predominant authentication mechanism for WLAN utilizes the IEEE 802. lx 
protocol. Unfortunately, the IEEE 802. lx protocol was designed with private LAN access as 
its usage model. Hence, the IEEE 802. lx protocol does not provide certain convenient 
features necessary in a public WLAN environment. A further problem with the current 
predominant standard is that it requires IEEE 802. lx protocol client software installation and 

10 configuration. In addition, the IEEE 802. lx protocol does not have a sophisticated mechanism 
for interacting with the user. The access point can only send simple messages to the client via 
electronic access point (EAP) notification. This may be sufficient for an enterprise setting, but 
in a hot spot the access point might require that the user accept an end user license before 
permitting access. In some instances, the access point needs to inform the user about service 

15 charges. One solution would be to provide the access point the capability to interact with the 
users via the web browser interface. 

Most existing WLAN hot spot wireless providers use a web browser based solution for 
user authentication and access control offering convenience to the user that does not require 
any software download on the user device. As illustrated in Figure 1, the relationships among 

20 primary entities typically involved in an authentication in a public WLAN environment are a 
mobile terminal (MT), a WLAN access point (AP), a local server and an authentication server 
(AS). In the web based solution, the user is securely authenticated through HTTPS by the AS, 
which in turn notifies the AP to grant access to the MT. The WLAN operator may own such 
an authorization server or any third party providers, such as Independent Service Providers 

25 (ISPs), pre-paid card providers or cellular operators, referred to more broadly as virtual 

operators. A public WLAN hot spot, therefore, should accommodate such different client and 
operator capabilities, based on which, the WLAN should have the ability to select different 
authentication mechanisms. The prior art has not sufficiently addressed means that would 
provide such capabilities, however, the invention described herein, provides a novel solution. 



30 
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SUMMARY OF THE INVENTION 

What is desired is an apparatus and a method for improving the security, or control of 
access by a user terminal, to a communications network, in particular the control of access by 
5 a mobile terminal to a wireless local area network. 

The invention provides a method for controlling the access by a terminal device by 
determining the type of authentication protocol associated with the terminal device and 
automatically routing the authentication request to the appropriate authentication server. 

10 Specifically, the invention herein provides a method for controlling the access of a terminal 
device in a WLAN environment by determining whether a terminal device utilizes an IEEE 
802. lx protocol, comprising the steps of an access point communicating to the mobile 
terminal a request to identify, and if the mobile terminal utilizes an IEEE 802. lx protocol 
acknowledging the request to identify, otherwise the access point determines that the mobile 

15 terminal does not employ a IEEE 802. lx protocol and therefore selects an authentication 
mechanism compatible with the mobile terminal. 

If the terminal device is not IEEE 802. lx compliant the access point initiates a state in 
the access point that indicates the terminal is a non-IEEE 802. lx protocol and configures an 

20 IP packet filter and redirects a user HTTP request to a local server. The process of the present 
invention may also communicate from the local server to the terminal device information 
specifically related to a browser-based authentication. If the device utilizes the IEEE 802. lx 
protocol, the access point transitions to a state that indicates that the mobile terminal is IEEE 
802. lx compliant and thereafter processes all further communication utilizing the IEEE 

25 802. lx protocol. In the event that the authentication process fails, then one embodiment of the 
present invention initiates in the access point, a failure condition. 

One embodiment of the invention for improving the security of a terminal device in a 
WLAN environment utilizes the access point for determining whether the device utilizes an 
30 IEEE 802. lx protocol, by having the access point communicate to the terminal device a 
Request-Identity EAP packet, whereby if the devices utilizes a IEEE 802. lx protocol the 
device responds with a Response-Identity EAP packet and otherwise the access point 
determines that the mobile terminal protocol does not employ a IEEE 802. lx protocol (e.g. 
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based on timeout) and selects an authentication mechanism compatible with the mobile 
terminal. 



The invention for improving the security of a terminal device in a WLAN environment 
5 also includes an apparatus comprised of an access point in communication with a terminal 
device in a WLAN environment utilizing a means to determine whether the terminal device 
utilizes an IEEE 802. lx protocol and if the terminal does not utilize said protocol then the 
access point employs an authentication means compatible with the terminal device otherwise 
the access point employs an IEEE 802. lx protocol. The access point means to determine 
10 includes communicating to the terminal device a Request-Identity EAP packet and if the 
mobile terminal utilizes the IEEE 802. lx protocol the access receives a Response-Identity 
EAP packet. The access point further comprises the means to configure an IP packet filtering 
to redirect the device HTTP request to a local server if the terminal device does not utilize 
said protocol. 

15 

In a further embodiment of the apparatus, the access point includes a means to 
communicate IEEE 802. lx protocol exchanges and means to establish IP packet filtering 
through an IP filter module and state information for the HTTP server to control the terminal 
device access during and after IEEE 802. lx based authentication process if the access point 
20 detects that the terminal device is an IEEE 802. lx client. 

BRIEF DESCRIPTION OF THE DRAWINGS 

The invention is best understood from the following detailed description when read in 
25 connection with the accompanying drawing. The various features of the drawings are not 

specified exhaustively. On the contrary, the various features may be arbitrarily expanded or 
reduced for clarity. Included in the drawing are the following figures: 

FIG. 1 is a block diagram of a communications system for practicing the method of the 
30 present invention for improving the security of a terminal device in a WLAN environment. 

FIG. 2 is a flow diagram of the method of the authentication sequence of present invention. 
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FIG. 3 is a flow diagram of the method of the present invention illustrating an authentication 
failure. 

FIG. 4 is a block diagram of an apparatus for implementing the present invention. 

5 

DETAILED DESCRIPTION OF THE INVENTION 

In the figures to be discussed the circuits and associated blocks and arrows represent 
functions of the process according to the present invention, which may be implemented as 
10 electrical circuits and associated wires or data busses, that transport electrical signals. 

Alternatively, one or more associated arrows may represent communication (e.g., data flow) 
between software routines, particularly when the present method or apparatus of the present 
invention is implemented as a digital process. 

In accordance with FIG. 1, one or more mobile terminals represented by 140 x through 
15 140 n communicate through an access point (AP) through 130 n? local computer 120, in 

association with firewalls 122 and one or more virtual operators 150i_ n , such as authentication 
server 1 5 0 n . Communication from terminals 140i_ n typically require accessing a secured data 
base or other resources, utilizing the Internet 1 10 and associated communication paths 154 
and 152 that require a high degree of security from unauthorized entities, such as would be 
20 hackers. 

As further illustrated in FIG. 1, the WLAN architecture encompasses several 
components and services that interact to provide station mobility transparent to the higher 
layers of a network stack. The AP stations such as access points 130i_ n and mobile terminals 
140i_ n as the components connect to the wireless medium and typically contain the 

25 functionality of the IEEE 802. lx protocols, that being MAC (Medium Access Control) 134i_ n , 
and corresponding PHY (Physical Layer) (unshown), and a connection 127 to the wireless 
media. Communication functions and protocols are implemented in the hardware and software 
of a wireless modem or a network access or interface card. This invention proposes a method 
for implementing a means in the communication stream such that an access point 130 n 

30 improves the security of a terminal device in a WLAN environment 115 whether the device 
utilizes an IEEE 802. lx protocol or not and remain within the compatibility requirements of a 
IEEE 802. lx WLAN MAC layers for downlink traffic (e.g. from the an authentication server 
150 to the mobile terminal 140 n such as a laptop) as each may participate in the authentication 
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of one or more wireless mobile devices 140i- n ,, a local server 120 and a virtual operator such 
as the authentication server 150. 

In accordance with the present principles of the invention, an access 160 enables each 
mobile terminals 140i_ n , to securely access a WLAN 1 15 by authenticating the mobile 
5 terminal 140i_ n as well as its communication stream in accordance with the IEEE 802. lx 

protocol or other optional protocol as the specific terminal 140i_ n may choose. The manner in 
which the access 160 enables such secure access can best be understood by reference to FIG. 
2, which depicts the sequence of interactions that occurs among a mobile wireless 
communication device, say mobile terminal 140 n , the public WLAN 1 15, Authentication 

10 server 150 n . When configured with the IEEE 802. 1 x protocols, the access point 130 n of FIG. 
1 maintains a controlled port and an un-controlled port, through which the access point 
exchanges information, with the mobile terminals 140 n . The controlled port maintained by the 
access point 130 n serves as the entry way for non-authentication information, such as data 
traffic, to pass through the access point between the WLAN 115 and the mobile terminals 

15 140 n . Ordinarily, the access point 130- n keeps the respective controlled port closed in 
accordance with the IEEE 802. lx protocol until authentication of the mobile wireless 
communications device. The access points 130 n always maintains the respective uncontrolled 
port open to permit the mobile terminals 140 n to exchange authentication data with the local 
survey or virtual server 150 n . 

20 

With reference to FIG. 2 9 a further embodiment of the present invention is the 
utilization of the access point 130 n to create several operational states. Following an EAP 
Response-Identity packet 220 a state lx_progress 340 indicates that the mobile terminal 140 n 
is an IEEE 802. lx client and the 802. lx authentication process is ongoing. Such means to 

25 select from one or more available security protocols is well known by those skilled in the art 
of programming and engineering in a WLAN environment. The 802. IX engine 325 is 
therefore responsible for client detection and providing the client capability information to 
other modules of the system. In addition it also implements RADIUS client functionality to 
convert EAP messages to RADIUS messages, forwarding such messages in the form of an 

30 radius access request 230 and responding to radius access reject messages 240. The packet 
filter module 330 is responsible for filtering packets based on the criteria set by other 
modules. The method utilized by the access point to determines that the terminal is not IEEE 
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802. lx protocol compliant is based upon timing out a pre-established timer, before it receives 
the EAP request identity response packet. 



More particularly, FIG. 3 illustrates an embodiment of the method of the present 
5 invention wherein the access point 130 n detects that the mobile terminal 140 n is not an 

authenticated IEEE 802. lx client, and redirects client 335 to thereby configure through an IP 
packet filter module 330 a redirect to the HTTP server 120 via a web request redirect 345. 
Alternatively, mobile terminal 140 n may send a direct web access request 355, which is 
redirected by the packet filter module 330 to the HTTP server 120. The HTTP server 120 
10 responds with information 350 specifically related to the browser based authentication. 

In the case where the access point 130 n detects that the terminal device is an IEEE 
802. lx client, it permits normal IEEE 802. lx protocol communication exchanges to proceed 
through the access point 130 n and sets up appropriate IP packet filtering through IP filter 
module 330 and state information for the HTTP server 120 to control the mobile terminal 140 n 
15 user access during and after IEEE 802. lx based authentication process. 

As indicated above, the WLAN 1 15 system must maintain proper state information for 
the system to function properly. Such state information will be provided by the access point 
130 n 802. lx engine, which is used by, among other things, the packet filtering function 330 
and the HTTP server 120. With reference to FIG. 3, a further embodiment of the present 

20 invention is the utilization of the access point 130 n 802.1 x engine to create several 

operational states. Following a Response-Identity EAP packet 220 a state lx_progress 340 
indicates that the mobile terminal 140 n is an IEEE 802. lx client and the 802. lx authentication 
process is ongoing. Following a Response-Identity EAP packet 220 a state lx_failure 350 
would indicate that the 802. lx authentication process failed for one of more reasons, not 

25 pertinent to the invention herein. Following a Response-Identity EAP packet 220 a state 
non_lx 360 would indicate that the mobile terminal 140 n is a non-IEEE 802. lx client. 
Because for such a client, all access controls are done at the higher layers, no further 
classification of state is necessary. 

30 The access point includes an 802. IX engine 325, which is a module that implements 

the IEEE 802. IX protocol with the determining means necessary to carry out the steps of the 
invention. Such means to select from one or more available security protocols is well known 
by those skilled in the art of programming and engineering in a WLAN environment. The 
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802. IX engine 325 is therefore responsible for client detection and providing the client 
capability information to other modules of the system. In addition it also implements 
RADIUS client functionality to convert EAP messages to RADIUS messages. The packet 
filter module 330 is responsible for filtering packets based on the criteria set by other 
5 modules. 

Referring to FIG. 4 is an apparatus of the present the invention for improving the 
security of the terminal device 140 n in the WLAN 115 environment. The access point 130 n 
maintains communication with the terminal device 140 n terminal device and utilizes a means 

10 415 to determine whether the terminal device 140 n utilizes an IEEE 802. lx protocol and if the 
terminal 140 n does not utilize said protocol then the access point 130 n employs an 
authentication means 420 compatible with the terminal device 140 n otherwise the access point 
employs an IEEE 802. lx protocol utilizing means 425. The access point 130 n means to 
determine includes communicating to the terminal device 140 n a Request-Identity EAP packet 

15 and if the mobile terminal 140 n utilizes the IEEE 802. lx protocol the access point 130 n 

receives a Response-Identity EAP packet. The access point 130 n further comprises the means 
430 to configure an IP packet filtering to redirect through means 435 the device HTTP request 
to a local server if the terminal device 140 n does not utilize the protocol. In the event the IEEE 
802. lx protocol is utilized then the means 425 utilizes means 440 to insure that the 

20 communication is not redirected. 

In a further embodiment of the apparatus, the access point includes a means to 
communicate IEEE 802. lx protocol exchanges and means to establish IP packet filtering 
through an IP filter module and state information for the HTTP server to control the terminal 
25 device access during and after IEEE 802. lx based authentication process if the access point 
detects that the terminal device is an IEEE 802. lx client. 

It is to be understood that the form of this invention as shown is merely a preferred 
30 embodiment. Various changes may be made in the function and arrangement of parts; 

equivalent means may be substituted for those illustrated and described; and certain features 
may be used independently from others without departing from the spirit and scope of the 
invention as defined in the following claims. 



WO 2004/084464 



PCT/US2004/007805 



9 

1 . A method for controlling access by a user terminal to a communications network, 
comprising the steps of: 

receiving from the user terminal a request to access the communications network; 

transmitting to the user terminal an identity request message; 

receiving from the user terminal, if the user terminal utilizes a predetermined 
authentication protocol, a response to the identity request message; 

determining whether the user terminal uses the predetermined authentication protocol 
in response to the response to the identity request message; and 

selecting an authentication mechanism, compatible with the user terminal in response 
to the determination, for allowing user terminal access to the communications. 

2. The method according to claim 1 3 wherein the user terminal comprises a mobile 
terminal and the communications network comprises a wireless local area network WLAN 

that complies with the IEEE 802.1 1 standards. 

3. The method according to claim 2, wherein the selecting step includes selecting an 
appropriate authentication server coupled to the WLAN in response to the determination. 

4. A method for controlling mobile terminal access to a wireless local area network 
(WLAN), comprising the steps of: 

receiving from the mobile terminal a request to access the WLAN; 

transmitting to the mobile terminal an identity request message; 

receiving from the mobile terminal, if the mobile terminal utilizes an IEEE 802. Ix 
protocol^ a response to the identity request message; 

determining whether the mobile terminal is IEEE 802. lx compliant in response to the 
response to the identity request message; and 

selecting an authentication mechanism, compatible with the mobile terminal in 
response to the determination, for allowing mobile terminal access to the WLAN. 

5. The method according to claim 4, further comprising the steps of 5 if the mobile 
terminal is IEEE 802. lx compliant, transmitting an authentication request to an authentication 
server and receiving an authentication response utilizing the IEEE 802. lx protocol, and 
controlling mobile terminal access to the WLAN in response to the authentication response. 

SUBSTITUTE SHEET (RULE 26) 
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6. The method according to claim 4, further comprising the steps of, if the mobile 
terminal is not IEEE 802. lx compliant, redirecting an authentication request to an HTTP 
server for utilizing a browser based authentication. 

5 

7. The method according to claim 6, further comprising the step of configuring a packet 
filtering module to redirect the authentication request to the HTTP server. 

8. The method according to claim 7, further comprising the step of maintaining state 
10 information in the WLAN for use by the packet filtering module and the HTTP server. 

9. The method according to claim 8, wherein the state information includes one of a first 
state indicative of ongoing authentication process, a second state indicative of authentication 
failure, a third state indicative of authentication success, and a fourth state indicative of a non 

1 5 IEEE 802. lx mobile terminal. 

10. An access point in communication with a terminal device in a wireless local area 
network, comprising: 

a means to determine whether the terminal device utilises an IEEE 802. lit protocol 
20 and, if the terminal does not utilize said protocol, then the access point employing an 
authentication means compatible with the terminal device otherwise the access point 
employing an IEEE 802. lx protocol. 

1 1. The access point in claim 10, wherein the means to determine includes communicating 

V 

25 to the terminal device a Request-Identity EAP packet and if the mobile terminal utilizes the 
IEEE 802. lx protocol the access receives a Response-Identity EAP packet. 

12. The access point in claim 1 1, further comprises the means to configure an BP packet 
filtering to redirect the device HTTP request to a local server if the terminal device does not 

30 utilize said protocol. 



13. The access point in claim 10, further comprises means to communicate IEEE 802. lx 
protocol exchanges and means to establish IP packet filtering through an IP filter module and 

SUBSTITUTE SHEET (RULE 26) 
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state information for the HTTP server to control the terminal device access during and after 
IEEE 802. lx based authentication process if the access point detects that the terminal device 
is an IEEE 802. lx client. 

5 14. A method for controlling access by a terminal device in a wireless local area network 
by determining whether the terminal device utilizes an IEEE 802. lx protocol comprising the 
steps of: 

an access point communicating to the mobile terminal a request to identify, and if the 
terminal device utilizes an IEEE 802.1x protocol, acknowledging the request to identify, 
10 otherwise the access point determining that the terminal is not IEEE 802. lx compliant and 
selecting an authentication mechanism compatible with the mobile terminal. 

15. The method according to claim 14, wherein the access point determines that the 

terminal is not IEEE 802. Ik compliant when it does not receive an EAP identity response 
1 5 packet after a timeout value. 

1 6. The method according to claim 15, further comprising the step of access point 
detecting that if the terminal device is not IEEE 802. lx compliant, then configuring an IP 

packet filter and redirecting a user HTTP request to a local server. 

20 

17. The method according to claim 16, further comprising the step of the local server 
communicating to the terminal device information specifically related to a browser based 
authentication. 

25 18. The method according to claim 17, further comprising the step of the access point 
transitioning to a state if the terminal device utilizes the IEEE 802. lx protocol that indicates 
that the terminal device is IEEE 802. lx compliant and thereafter processing all 
communication utilizing the IEEE 802. lx protocol. 

30 19. The method according to claim 17, further comprising the step of the access point 
transitioning to a state corresponding to browser based authentication if the authentication 
process fails. 
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20. The method according to claim 14, further comprising the step of the access point 
transitioning to a state corresponding to browser based authentication if the terminal device is 
not IEEE 802. lx compliant. 

5 21. A method for controlling access of a terminal device in a WLAN by determining 
whether the terminal device utilizes an IEEE 802. lx protocol comprising the steps of: 
communicating through the an access point to the mobile terminal a request to identify, and if 
the terminal device utilizes an IEEE 802. lx protocol, acknowledging the request to identify, 
otherwise determining by the access point that the terminal is not IEEE 802. lx compliant and 
10 selecting an authentication mechanism compatible with the terminal. 

22. The method according to claim 21, further comprising the step of determining in the 
access point that terminal is not IEEE 802. lx compliant if it does not receive an EAP identity 

response packet after a preset time. 

15 

23. The method according to claim 21, further comprising the step of detecting in the 
access point that if the terminal device is not IEEE 802. lx compliant, then configuring an IP 
packet filter and redirecting a user HTTP request to a local server. 

20 24. The method according to claim 23 , further comprising the step of communicating from 
the local server to the terminal device, information specifically related to a browser based 
authentication. 

25. The method according to claim 21, further comprising the step of transitioning to a 
25 state in the access point if the terminal device utilizes the IEEE 802. lx protocol that indicates 

that the terminal device is IEEE 802. lx compliant and thereafter processing all 
communication utilizing the IEEE 802. lx protocol. 

26. The method according to claim 25, further comprising the step of transitioning to a 
30 state in the access point corresponding to browser based authentication if the authentication 

process fails. 
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27. The method according to claim 21 , further comprising the step of transitioning to a 
state in the access point corresponding to browser based authentication if the terminal device 
is not IEEE 802. lx compliant. 
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